Re: How NOT to provide external name resolution on win2k3?
- From: "Kevin D. Goodknecht Sr. [MVP]" <admin@xxxxxxxxxxxxxx>
- Date: Mon, 11 Apr 2005 09:06:12 -0500
Joel wrote:
> We have a domain with 2 windows 2003 servers as domain controllers
> that are also providing DNS services. Workstations within the domain
> are a combination of windows xp and also legacy systems running
> windows nt. The workstations point to these 2 servers as their
> preferred dns servers.
>
> We recently discovered that the workstations can resolve internet
> addresses with no problem. While we don't actually mind that the
> workstations have internet access, we'd like to make it difficult for
> them to resolve internet addresses.
>
> At first I thought it was strange that the workstations were able to
> resolve internet addresses in Internet Explorer because the servers
> don't have any forwarders configured. The servers did however point
> to 2 "external capable" dns servers as their numbers 3 and 4 dns
> servers. (The first 2 being themselves.)
You should not use your ISP's DNS in any position on any DC or member
client. If you don't want the DNS servers resolving internet names disabled
recursion on the Advanced tab of the DNS server property ***. This
disables forwarders and root hints.
>
> I removed the entries of the external dns servers that were bound to
> the nic card, and deleted the entries in the root hints list in the
> dns properties. Well this seemed to have stunned it momentarily, but
> after a few minutes the servers were again able to browse the
> internet. Is there any easy way to change this so that the servers
> and the workstations cannot resolve names enough to browse the
> internet?
Make sure the clients can only use the DCs for DNS, and disable recursion on
the DNS server.
--?
Best regards,
Kevin D4 Dad Goodknecht Sr. [MVP]
Hope This Helps
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================
.
- Follow-Ups:
- References:
- Prev by Date: Re: How NOT to provide external name resolution on win2k3?
- Next by Date: Re: miss configured DNS
- Previous by thread: Re: How NOT to provide external name resolution on win2k3?
- Next by thread: Re: How NOT to provide external name resolution on win2k3?
- Index(es):
